CVE-2020-9289

7.5HIGH

Key Information:

Vendor
Fortinet
Status
Fortinet Fortimanager
Vendor
CVE Published:
16 June 2020

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

Use of a hard-coded cryptographic key to encrypt password data in CLI configuration in FortiManager 6.2.3 and below, FortiAnalyzer 6.2.3 and below may allow an attacker with access to the CLI configuration or the CLI backup file to decrypt the sensitive data, via knowledge of the hard-coded key.

Affected Version(s)

Fortinet FortiManager FortiManager 6.2.3 and below

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-9289
Created by synacktiv

References

https://fortiguard.com/psirt/FG-IR-19-007
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.